INGDiba German Phishing website, not blocked by Avast

[Secondmineboy]

Blacklisted by ESET: hxxps://www.virustotal.com/en/url/f4c5b1af2d3095f2a627ea41ede5b295bce8a138224eaf6e7a2e7b4d2623d42e/analysis/1398175992/
1 suspicious file by Quettra: hxxp://quttera.com/detailed_report/b.ing-forward.com
Website is spread via a spam Mail which is attached as screenshot.

I think this is something for polonus to take a look at.

[Pondus]

url is listed at PhishTank ... so those using OpenDNS is protected

[Secondmineboy]

It wasnt in PhishTank a few minutes ago, just got added.

I got this spam mail today in GMail, and i dont have anything to do with INGDiba at all.

URL is blocked by Kasperskys Heuristic analysis as Phishing Website.

[Secondmineboy]

Bitdefender is now detecting it too.

Website seems to be down now.

[polonus]

Hi Steven Winderlich,

IP being on an abused and misused server at Cloudflare -> http://support.clean-mx.com/clean-mx/viruses.php?ns2=greg.ns.cloudflare.com&sort=email%20asc&response=alive

Also clear on detetcion is Sucuri's: http://sitecheck.sucuri.net/results/www.b.ing-forward.com
See: http://toolbar.netcraft.com/site_report?url=http://www.b.ing-forward.com  risk rating 10/10 all red!
Everything fine here: http://dnscheck.pingdom.com/?domain=ing-forward.com&timestamp=1398287558&view=1
But errors and delegation problems starting for the subdomain: http://dnscheck.pingdom.com/?domain=b.ing-forward.com&timestamp=1398287657&view=1
Not enough nameserver information was found to test the zone b.ing-forward.com, but an IP address lookup succeeded in spite of that.
Looks like a zone-forward attack took place there 

Code: 302,  htxp://tr.im    (a conditional redirect found)

Redirect to external server! (using trim url shortener)

See: http://fetch.scritch.org/%2Bfetch/?url=b.ing-forward.com&useragent=Fetch+useragent&accept_encoding=

Malicious as given here: hxtp://b.ing-forward.com redirects to htxp://tr.im

DrWeb;s URL checker flags it.
htxp://tr.im is in Dr.Web malicious sites list!

Checking: htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js
File size: 7485 bytes
File MD5: 1dd6654ed7e60462d63b8e9409d23283

htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js - archive JS-HTML
>htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js/JSTAG_1[17a][4d] - Ok
>htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js/JSTAG_2[722][43] - Ok
>htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js/JSTAG_3[1855][2a3] - Ok
>htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js/JSTAG_4[1b21][203] - Ok
htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js - Ok  *

Checking: htxp://tr.im
Engine version: 7.0.9.4080
Total virus-finding records: 5141003
File size: 7817 bytes
File MD5: 6be4d3b17491d0fdadf701622da6fea5

htxp://tr.im - archive JS-HTML
>htxp://tr.im/JSTAG_1[17a][4d] - Ok
>htxp://tr.im/JSTAG_2[722][43] - Ok
>htxp://tr.im/JSTAG_3[19a4][2a3] - Ok
>ht\xp://tr.im/JSTAG_4[1c70][200] - Ok
htxp://tr.im - Ok

* could have been abused by    ET DROP Spamhaus DROP Listed Traffic Inbound group 13  and/or ET RBN Known Russian Business Network IP group 76

pol

[Secondmineboy]

URL is still not blocked by Avast.

3/51 on Virustotal now.

Already submitted to Avast, and its ticketed now with normal priority.

[Secondmineboy]

Now blocked by CRDF: https://www.virustotal.com/en/url/f4c5b1af2d3095f2a627ea41ede5b295bce8a138224eaf6e7a2e7b4d2623d42e/analysis/1398346711/